ISO 27001 Updates to the 2022 Version – What You Need To Know


On October 25, 2022, ISO 27001 was updated from the ISO/IEC 27001:2013 version to the new ISO/IEC 27001:2022. The objective of this article is to inform you about what the changes are and timelines for adopting the 2022 version, irrespective of whether this is your initial certification or you are transitioning from the 2013 version.

What has Changed?

  • Title of the standard is changed to Information security, cybersecurity, and privacy protection — Information security management systems — Requirements.
  • Minor wording or clarification changes to ISO 27001 clauses:
    • Clause 4.2 (Understanding the needs and expectations of interested parties), clause 4.2 (c) was added – requirements of the interested party to be addressed through the ISMS.
    • Clause 6.2 (Information security objectives and planning to achieve them), clause 6.2 (d) was added that requires objectives to be monitored.
    • Clause 6.3 (Planning of changes) was added, requiring that any change in the ISMS needs to be done in a planned manner.
    • Clause 8.1 (Operational planning and control), new requirements were added for:
      • establishing criteria for security processes, and
      • implementing processes according to those criteria.
    • Clause 9.3 (Management review), new clause 9.3.2 c) was added – changes in needs and expectations of interested parties that are relevant to the information security management system.
  • Significant changes to the Annex A Security Controls as follows:
    • Number of controls has decreased from 114 to 93.
      • None of the previous controls have been deleted.
      • 35 controls have stayed the same
      • 23 controls have only been renamed
      • 57 controls were merged
      • 1 control was split
    • Controls are placed into 4 control groups, instead of the previous 14 as follows:
      • 5 Organizational Controls (37 Controls)
      • 6 People Controls (8 Controls)
      • 7 Physical Controls (14 Controls)
      • 8 Technological Controls (34 Controls)
    • 11 new controls focused on the following areas:
      • 5.7 Threat intelligence
      • 5.23 Information security for the use of cloud services
      • 5.30 ICT readiness for business continuity
      • 7.4 Physical security monitoring
      • 8.9 Configuration management
      • 8.10 Information deletion
      • 8.11 Data masking
      • 8.12 Data leakage prevention
      • 8.16 Monitoring activities
      • 8.23 Web filtering
      • 8.28 Secure coding

Key Dates for Adopting ISO 27001:2022

  • If you are currently certified under ISO 27001:2013 you have until October 31, 2025 to transition to ISO/IEC 27001:2022 at which time your ISO 27001:2013 will expire or be withdrawn.
  • Organizations pursuing ISO 27001 for the first time (both Stage 1 and Stage 2 audits) can be certified on the 27001:2013 version until April 30, 2024. You will then have to transition to the 2022 version within the transition period which ends on October 31, 2025.
  • Starting May 1, 2024, all new certifications must be under the new ISO 27001:2022 version. Similarly, after  May 1, 2024, we recommend that all recertification audits be done utilizing the ISO 27001:2022 version.
  • We recommend that upgrade audits be completed by August 31, 2025 to give you adequate time to address any non-conformances and complete your upgrade in an organized and effective manner.

Plan to Upgrade to ISO 27001:2022

We recommend organizations develop a transition plan to achieve certification under the update standard, ensuring your plan includes at a minimum the following elements:

  • You can perform the upgrade audits to the ISO 27001:2022 in the normal course and timing of your Surveillance audit or Recertification audit or as a separate Special Audit.
  • We recommend performing a ‘Gap Analysis’ against ISO 27001:2022 and help ensure that you understand and remediate any needed changes to your Information security management system.
  • Update your Statement of Applicability (SoA) along with needed changes to your Risk Assessment.
  • Perform Internal Audit and Management Review to include the updates to the standard.

Reach out to your AARC-360 team for guidance as you develop your transition plan with any questions or guidance needed as you navigate through adopting the new standard.

Co-Authored By
Neelov Kar (ISO Practice Leader, AARC-360)
Rashmi Mishra (ISO Lead Auditor, AARC-360)
Neil Gonsalves (Founder and CEO, AARC-360)